United States Patent and Trademark Ofhce 



UNITED STATES DEPARTMENT OF COMMERCE 
United States Patent and Trademark OtBce 

Address: COMMISSIONER FOR PATENTS 



APPLICATION NO. 



FILING DATE 



FIRST NAMED INVENTOR 



ATTORNEY DOCKET NO. CONFIRMATION NO. 



10/026,403 



12/21/2001 



Lawrence R. MiUer 



72167-000570 



21967 7590 04/06/2009 

HUNTON & WILLIAMS LLP 

intellectual property DEPARTMENT 
1900 K STREET, N.W. 
SUITE 1200 

WASHINGTON, DC 20006-1109 



PYZOCHA, MICHAEL J 



PAPER NUMBER 



DELIVERY MODE 



Please find below and/or attached an Office communication concerning this application or proceeding. 

The time period for reply, if any, is set in the attached communication. 



PTOL-90A (Rev. 04/07) 



KJtSiVrXS nvrliyjts OUff Iff fcff Jr 


Application No. 

10/026,403 


Applicant(s) 

MILLER ET AL. 


Examiner 

MICHAEL PYZOCHA 


Art Unit 

2437 





- The MAILING DATE of this communication appears on the cover sheet with the correspondence address — 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
eamed patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )^ Responsive to communication(s) filed on 03 March 2009 . 
2a )□ This action is FINAL. 2b)|3 This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) 1-4.6.8-20.23 and 25-29 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) n Claim(s) is/are allowed. 

6) |EI Claim(s) 1-4.6.8-20.23 and 25-29 is/are rejected. 
/)□ Claim(s) is/are objected to. 

8) 0 Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) 0 The specification is objected to by the Examiner. 

10)0 The drawing(s) filed on is/are: a)^ accepted or b)^ objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held In abeyance. See 37 CFR 1.85(a). 

Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 
1 !)□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12)0 Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)n All b)n Some * c)^ None of: 

1 .□ Certified copies of the priority documents have been received. 

2. n Certified copies of the priority documents have been received in Application No. . 

3. n Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 



Attach ment(s) 

1 ) ^ Notice of References Cited (PTO-892) 4) □ Interview Summary (PTO-41 3) 

2) □ Notice of Draftsperson's Patent Drawing Review (PTO-948) Paper No(s)/IVIail Date. 

3) □ Information Disclosure Statement(s) (PTO/SB/08) 5) □ Notice of Informal Patent Application 

Paper No(s)/Mail Date . 6) □ Other: . 



PTOL-T26'(Rev^'o8-0^^ 



Office Action Summary 



Part of Paper No./Mail Date 20090330 



Application/Control Number: 10/026,403 Page 2 

Art Unit: 2437 

DETAILED ACTION 

1 . Claims 1-4, 6, 8-20, 23, 25, and 26-29 are pending. 

2. A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 
03/03/2009 has been entered. 

Claim Rejections - 35 USC § 103 

3. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

4. Claims 9-19, 23 and 27 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Squier et al. (US 7188181) in view of Sampson et al. (US 6339423). 

As per claims 9-13, 17, 23 and 27, Squier et al. discloses inputting at a first 
system that grants session credentials based on successful authentication, a request 
from a client to access a protected resource on the first system, the protected resource 
on the first system being accessible by the client only after successful authentication of 
the client at the first system (see column 5 lines 54-63); determining at the first system 
that a client does not have a valid session credential granted by the first system (see 
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column 5 line 64 through column 6 line 4); retrieving, at the first system, information 
from a session token held by the client, the information being retrieved from the client, 
the information corresponding to a session credential for the second system, the second 
system grants session credentials based on successful authentication at the second 
system and includes protected resources on the second system that is accessible by 
the client, the protected resource on the second system being accessible by the client 
only after successful authentication of the client at the second system (see column 6 
lines 4-15) the first system presenting at least some of the information from the session 
token to the second system; the first system inputting a determination from the second 
system that the client has a valid session credential with the second system; and the 
first system effecting successful authentication to the client so as to grant access to the 
protected resource on the first system, to the client based on the determination from the 
second system that the client has a valid session credential with the second system 
(see column 6 line 41 through column 7 line 5 see also figure 2) the first system 
inputting information from the second system and in response the first system outputting 
to the second system a determination that the first system has a valid session credential 
for the client at the first system; and the second system effecting successful 
authentication so as to grant access to the further protected resource on the second 
system to the client based on the determination from the first system that the client has 
a valid session credential with the first system (see column 6 lines 41-56 and column 8 
lines 29-63 and column 9 lines 2-4). 
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Squier et al. discloses that the request and session information are sent at the 
same time (see column 5 lines 54-63), therefore fails to disclose the session information 
is retrieved from the client after determining that the client does not have valid session 
credentials. 

However, Sampson et al. teaches sending a request to a server and the server 
determining that the client doesn't have valid session credentials and requesting a 
session token from the client (see column 3 lines 34-43 where the data transmitted to 
the browser to go to the first server is a request to get a session token, i.e. cookies). 

At the time of the invention it would have been obvious to a person of ordinary 
skill In the art to request the client of Squier et al. to send a session token when It Is 
determined that the client doesn't have valid session credentials. 

Motivation to do so would have been to allow a user to obtain credentials to 
access a server when the user did not originally have the credentials (see Sampson et 
al. column 3 lines 34-43). 

As per claim 14, the modified Squier et al. and Sampson et al. system discloses 
granting a session credential to the client by the first system, after determining that the 
client has a valid session credential granted by the second system (see Squier et al. 
column 6 lines 57-62). 

As per claim 15, the modified Squier et al. and Sampson et al. system discloses 
maintaining the client session credential granted by the second system (see Squier et 
al. column 6 lies 57-64). 
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As per claims 16 and 19, the modified Squier et al. and Sampson et al. system 
discloses associating session credentials for the first system and the second system 
with the client (see Squier et al. column 6 lines 57-64). 

As per claim 18, the modified Squier et al. and Sampson et al. system discloses 
granting the client session credentials for the first system (see Squier et al. column 6 
lines 57-64). 

5. Claims 1-4, 6, 8, 20, 28 and 29 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over the modified Squier et al. and Sampson et al. system in view of 
Howard et al. (US 6584505). 

As per claims 1 , 20, 28 and 29, the modified Squier et al. and Sampson et al. 
system discloses inputting at a first system that grants session credentials based on 
successful authentication, a request from a client to access a protected resource on the 
first system, the protected resource on the first system being accessible by the client 
only after successful authentication of the client at the first system (see Squier et al. 
column 5 lines 54-63); determining at the first system that a client does not have a valid 
session credential granted by the first system (see Squier et al. column 5 line 64 
through column 6 line 4 and Sampson et al. column 3 lines 34-43); after the determining 
retrieving, at the first system, information from a session token held by the client, the 
information being retrieved from the client, the information corresponding to a session 
credential for the second system, the second system grants session credentials based 
on successful authentication at the second system and includes protected resources on 
the second system that is accessible by the client, the protected resource on the second 
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system being accessible by the client only after successful authentication of the client at 
the second system (see Squier et al. column 6 lines 4-15 and Sampson et al. column 3 
lines 34-43) the first system presenting at least some of the information from the 
session token to the second system; the first system inputting a determination from the 
second system that the client has a valid session credential with the second system; 
and the first system effecting successful authentication to the client so as to grant 
access to the protected resource on the first system, to the client based on the 
determination from the second system that the client has a valid session credential with 
the second system (see Squier et al. column 6 line 41 through column 7 line 5 see also 
figure 2). 

The modified Squier et al. and Sampson et al. system fails to discloses directing 
the client to the first system to establish a session credential based on successful 
authentication at the first system, after determining that the client does not have a valid 
session credential granted by the second system. 

However, Howard et al. teaches such redirection (see column 6 lines 51-52 and 
column 8 lines 54-57). 

At the time of the invention it would have been obvious to a person of ordinary 
skill in the art to redirect the client to a different server upon failed authentication. 

Motivation to do so would have been to allow the user to authenticate to a known 
server (see Howard et al. column 7 lines 52-65). 

As per claim 2, the modified Squier et al., Sampson et al. and Howard et al. 
system discloses granting a session credential to the client by the first system, after 
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determining tliat the client has a valid session credential granted by the second system 
(see Squier et al. column 6 lines 57-62). 

As per claim 3, the modified Squier et al., Sampson et al. and Howard et al. 
system discloses sending a session token to the client, the token corresponding to a 
session credential granted by the first system (see Squier et al. column 6 lines 57-62). 

As per claim 4, the modified Squier et al., Sampson et al. and Howard et al. 
system discloses a method comprising directing the client to the second system to 
establish a session credential based on successful authentication at the second system, 
after determining that the client does not have a valid session credential granted by the 
second system (see Squier et al. column 6 lines 30-40). 

As per claim 6, the modified Squier et al., Sampson et al. and Howard et al. 
system discloses maintaining the client session credential granted by the second 
system (see Squier et al. column 6 lies 57-64). 

As per claim 8, the modified Squier et al., Sampson et al. and Howard et al. 
system discloses retrieving information from the session token held by the client 
comprises: sending a query to the client from the first system, the query including 
identification as originating from a domain name corresponding to the second system; 
and receiving a response to the query (see Howard column 8, lines 8-11). 
6. Claims 25 and 26 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over the modified Squier et al. and Sampson et al. system as applied to claim 23 above, 
and further in view of Marks et al. (US 20010054059). 
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As per claims 25 and 26 the modified Squier et al. and Sampson et al. system 
fails to disclose that the protected resource is pay-per-use or subscription content. 

However, Marks et al. teaches content of this type (see paragraph [0028]). 

At the time of the invention it would have been obvious to a person of ordinary 
skill in the art to protect pay-per-use and subscription content using the modified Squier 
et al. and Sampson et al. system. 

Motivation to do so would have been that this type of content costs money and 
protecting them prevents free use of the content. 

Response to Arguments 

7. Applicant's arguments filed 10/28/2008 have been fully considered but they are 
not persuasive. Applicant argues that Squier fails to teach "receiving a session token 
from the client corresponding to the second system" and "granting a session credential 
to the client on the first system, after determining that the client has a valid session 
credential granted on the second system"; the motivation to combine Sampson with 
Squire is insufficient; such a modification would change the principle operation of 
Squire; Sampson fails to teach "determining, at the first system that a client does not 
have a valid session credential granted by the first system" and the remaining 
references fail to cure these deficiencies. 

With respect to Applicant's argument that Squier fails to teach "receiving a 
session token from the client corresponding to the second system" and "granting a 
session credential to the client on the first system, after determining that the client has a 
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valid session credential granted on the second system", in the Squire system the 
destination server (i.e. first system) receives a request with the session identifier (i.e. 
session token) from the origin server (i.e. second system) (see column 5 lines 64-67). 
After the destination server can authorize the received token it creates a new session 
identifier for the client with relation to the destination server (see column 6 lines 57-62). 
Therefore, Squire teaches the claimed limitations. 

With respect to Applicant's argument that the motivation to combine Sampson 
with Squire is insufficient and such a modification would change the principle operation 
of Squire, the Squire system requires a user to send a request for a service with a 
session identifier thereby requiring that a user already have the session identifier (i.e. 
credentials). On the other hand Sampson allows a user to request a service without 
any credentials (i.e. session identifier or cookie) and when the first server determines 
that the request does not have any credentials for the first server it obtains credentials, 
from the client, which are from a different server to allow the user to access the first 
server. This provides the added benefit that the client can obtain credentials to access 
a server when the user did not originally have the credentials (as stated for motivation to 
combine). In other words this provides that a user does not have to permanently store 
the credentials because the user can retrieve them from the other server and only hold 
them long enough to send them to the first server. Furthermore, both Squire and 
Sampson teach methods of requesting a service from a server using session 
information from a different server and it would be obvious to replace Squires' method 
of sending the session information together with the request with Sampson's method of 
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sending the request separately from the session information because it would provide 
the predictable result of authenticating a user at a first server using session information 
from a second server. Additionally, it is clear that Squire and Sampson relate to similar 
methods with Sampson performing a step of Squire in multiple steps that would not 
change the principle operation of Squire. 

With respect to Applicant's argument that Sampson fails to teach "determining, at 
the first system that a client does not have a valid session credential granted by the first 
system", Sampson teaches that a client requests access to a system and when the 
system determines that the request did not include a cookie (i.e. session credential) for 
this system it requests the client to obtain a cookie from a different server. Therefore, 
when combined with the teaches of Squire, the combination teaches "determining, at 
the first system that a client does not have a valid session credential granted by the first 
system". 

Applicant's argument that the remaining references fail to cure the above 
mentioned deficiencies is moot in view of the above response. 

Conclusion 

8. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. Makower teaches single sign-on with redirection. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to MICHAEL PYZOCHA whose telephone number is 
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(571)272-3875. The examiner can normally be reached on Monday-Thursday, 7:00am - 
4:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on (571 ) 272-3865. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated Information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/Michael Pyzocha/ 
Examiner, Art Unit 2437 



